Router Access Control Lists and NNM
Since routers must operate perfectly at all times, network managers do everything they can to prevent unauthorized access. One feature that’s always used is the access control list (ACL), also called simply the access list. This list is a sequence of one-line entries in the router configuration file that can limit access to certain services by certain devices or a range of IP addresses.
Since NNM uses SNMP, it follows that routers should be configured to allow the NNM systems access to the SNMP service on port 161. Access can be further restricted to a certain portion of the MIB (depending on the vendor and the router O/S version). For example, an external access router with a huge routing table will suffer high CPU utilization when NNM queries its routing table. This is very worrisome, since external access routers are monitored closely. By configuring this router to deny access to the routing table, sanity is restored to the minds of the network managers. This does not impact NNM’s autodiscovery process since the management domain does not normally extend to the other side of the external access router. A sample access-list is given in Figure 10-3.
Figure 10-3. A sample router access list.
|
These lines in a Cisco router configuration file define access-list 2 as the IP addresses 192.6.173.101 and 192.6.173.202. The access-list 2 is applied to the SNMP agent (snmp-server) so that only devices in this list can perform an snmpget operation (RO). The RO community string is public. access-list 2 permit 192.6.173.101 access-list 2 permit 192.6.173.202 snmp-server community public RO 2 |
Routers in a DMZ environment are configured with restrictive ACLs, and for proper operation of autodiscovery, the NNM system should have access to SNMP. That way, if a new device should appear or if a MAC address or device name should change, NNM can detect this configuration event and generate an alarm.